Thank you for the reply and sorry - I didn't quite make myself clear. Using state was not the correct term. Having read the JAAS tutorial I see that a Subject can have many principals. For instance a username, a social security number etc. Using the ClientLoginModule (from a remote java client) I was hoping that I could add addition principals to my Subject and the additional Principals would be available in the server in my custom login module. This isn't the case. I think I know why now as in the SecurityClientInterceptor.java JBoss does the following: public Object invoke(org.jboss.aop.joinpoint.Invocation invocation) throws Throwable | { | // Get Principal and credentials | Principal principal = SecurityActions.getPrincipal(); | if (principal != null) invocation.getMetaData().addMetaData("security", "principal", principal); | | Object credential = SecurityActions.getCredential(); | if (credential != null) invocation.getMetaData().addMetaData("security", "credential", credential); | | return invocation.invokeNext(); | } | So it appears that only a Principal and Credential are remoted to the server in the ejb call meta data. Not that I really know anything about it but I was expecting to see a Subject used rather than a Principal. I'll investigate using a custom principal. I can see no way from a remote java client to get information into the options and shared state maps as I understand it, they are purely for purposes of communication between login modules and for configuration options. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4147457#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...